As a point of clarity, we're not discussing using SSL for Hackage, this part of the thread is about Alex's SearchPath tool. (snip)
Look, cryptographically GPG and SSL are very similar. With either one, if you trust long chains of signings, you are at risk that any intervening key has been compromised.
I agree. My only question is really in tool support and keyring / certificate management. For instance, are there tools like gnupg where you can interactively browse and sign keys, upload signatures to central keystores, have sets of trusted vs untrusted keys, etc. I've found SSL to be very hard to work with, though I suppose you could automate things, and I wouldn't be surprised to hear if there are tools like gnupg for SSL certs. I'd be glad to hear that, actually :) (snip)
The real differentiator between SSL and GPG is that the former is transport level while the later is file level. With SSL, I think you suffer additional complexity each time you set up a web server. With GPG, you suffer additional complexity each time you create a new file to share.
We don't "suffer additional complexity". You merely type in your key password when uploading a single tarball. That is "cabal-put foo-1.0.tgz" ... type your password.
I think most people create many more files to share than they set up web servers to serve them so I prefer the SSL model.
Many people who want to share packages don't configure their own web servers. peace, isaac